US11985228B2ActiveUtilityA1

Configuration payload separation policies

54
Assignee: CISCO TECH INCPriority: Jul 30, 2021Filed: Jul 30, 2021Granted: May 14, 2024
Est. expiryJul 30, 2041(~15.1 yrs left)· nominal 20-yr term from priority
H04L 9/0825H04L 9/0866H04L 9/14H04L 12/4641H04L 63/0428H04L 63/06G06F 21/606H04L 9/0822H04L 9/0894
54
PatentIndex Score
0
Cited by
16
References
18
Claims

Abstract

Disclosed are systems, apparatuses, methods, and computer-readable media for configuration payload separation policies. According to at least one example, a method is provided for device function. The method includes: during a boot sequence of a network device, generating a unique key for encrypting and decrypting data; identifying a secure location in the network device for storing the unique key; storing the unique key in the secure location; encrypting a configuration payload with the unique key; storing the encrypted configuration payload in an external non-volatile memory; and, in response to a request to access data within the configuration payload, decrypting the encrypted configuration payload using the unique key.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method comprising:
 during a boot sequence of a network device, generating a first unique key for encrypting and decrypting data; 
 encrypting the first unique key with a second unique key to determine an encrypted first unique key; 
 storing the encrypted first unique key on an external non-volatile memory device; 
 encrypting a configuration payload with the first unique key; 
 storing the encrypted configuration payload on an internal non-volatile memory device; 
 in response to a request to access data within the configuration payload, decrypting the encrypted first unique key using the second unique key and decrypting the encrypted configuration payload using the first unique key; 
 authenticating the network device by performing a security check on each component of a plurality of different types of components of the network device; 
 in response to the authenticating of the network device, identifying, a secure location in the network device for storing the second unique key, wherein the secure location is one of the plurality of different types of components of the network device; 
 and storing the second unique key in the secure location that is accessible to the network device after authentication of the network device. 
 
     
     
       2. The method of  claim 1 , wherein the secure location is determined to be a most secure location of the network device, and wherein the plurality of different types of components of the network device includes non-volatile memory. 
     
     
       3. The method of  claim 1 , wherein the configuration payload comprises one or more of configuration information, IP addresses, VLAN information, security certificates, encryption keys, unique user information, log information, trace information, runtime application data. 
     
     
       4. The method of  claim 1 , wherein the external non-volatile memory is physically detachable from the network device. 
     
     
       5. The method of  claim 1 , wherein the external non-volatile memory comprises a network storage device. 
     
     
       6. The method of  claim 1 , further comprising:
 receiving a boot loader over a network to perform the boot sequence. 
 
     
     
       7. The method of  claim 1 , wherein sensitive information stored in the external non-volatile memory is inaccessible when detached from the network device. 
     
     
       8. A method comprising:
 during a boot sequence of a network device, generating a first unique key for encrypting and decrypting data; 
 encrypting the first unique key with a second unique key to determine an encrypted first unique key; 
 storing the encrypted first unique key on an external non-volatile memory device; 
 encrypting a configuration payload with the first unique key; 
 storing the encrypted configuration payload in an internal non-volatile memory of the network device; 
 in response to a request to access data within the configuration payload, decrypting the encrypted first unique key using the second unique key and decrypting the encrypted configuration payload using the first unique key; 
 authenticating the network device by performing security check on each component of a plurality of different types of components of the network device; 
 in response to the authenticating of the network device, determining a secure location for storing the second unique key in the network device, wherein the secure location is one of the plurality of different types of components of the network device; 
 and storing the second unique key in the secure location that is accessible to the network device after authentication of the network device. 
 
     
     
       9. The method of  claim 8 , wherein the configuration payload comprises one or more of configuration information, IP addresses, VLAN information, security certificates, encryption keys, unique user information, log information, trace information, runtime application data. 
     
     
       10. The method of  claim 8 , wherein the external non-volatile memory device is physically detachable from the network device. 
     
     
       11. The method of  claim 8 , further comprising:
 receiving a boot loader over a network to perform the boot sequence. 
 
     
     
       12. A network device comprising:
 one or more memories having computer-readable instructions; 
 and one or more processors configured to execute the computer-readable instructions to: 
 
       during a boot sequence, generate a first unique key for encrypting and decrypting data;
 encrypting the first unique key with a second unique key to determine an encrypted first unique key; 
 storing the encrypted first unique key on an external non-volatile memory device; 
 encrypting a configuration payload with the first unique key; 
 storing the encrypted configuration payload on an internal non-volatile memory device; 
 in response to a request to access data within the configuration payload, decrypting the encrypted first unique key using the second unique key and decrypting the encrypted configuration payload using the first unique key; 
 authenticating the network device by performing a security check on each component of the plurality of different types of components of the network device; 
 in response to the authenticating of the network device, identify a secure location in the network device for storing the second unique key, wherein the secure location is one of the pluralities of different types of components of the network device; 
 and storing the second unique key in the secure location that is accessible to the network device after authentication of the network device. 
 
     
     
       13. The network device of  claim 12 , wherein the secure location is determined to be a most secure location of the network device, and wherein the plurality of different types of components of the network device includes non-volatile memory. 
     
     
       14. The network device of  claim 12 , the configuration payload comprises one or more of configuration information, IP addresses, VLAN information, security certificates, encryption keys, unique user information, log information, trace information, runtime application data. 
     
     
       15. The network device of  claim 12 , the external non-volatile memory is physically detachable from the network device. 
     
     
       16. The network device of  claim 12 , the external non-volatile memory comprises a network storage device. 
     
     
       17. The network device of  claim 12 , wherein the instructions further cause the processor to:
 receive a boot loader over a network to perform the boot sequence. 
 
     
     
       18. The network device of  claim 12 , sensitive information stored in the network device is inaccessible when detached from the network device.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.